Post-quantum cryptographic upgrades can shield future communications from quantum-capable adversaries, but they cannot retroactively protect data that has already been intercepted and stored under today’s vulnerable encryption. This asymmetry, sometimes called the retroactive decryption trap, means that every encrypted payload captured now becomes a ticking liability once a cryptographically relevant quantum computer (CRQC) arrives.
TLDR KEY POINTS
- Harvest-now-decrypt-later attacks let adversaries stockpile encrypted data today and break it once quantum hardware matures.
- Non-privacy blockchains like Bitcoin face future signature forgery, while privacy chains face retroactive exposure of already-recorded encrypted transactions.
- Migrating to post-quantum algorithms closes the window going forward but cannot recall ciphertext that adversaries have already copied.
How the retroactive decryption trap works
The harvest-now-decrypt-later timeline
The attack model is straightforward. An adversary with sufficient storage capacity records encrypted traffic today, knowing that current encryption schemes will eventually fall to quantum algorithms. When a CRQC becomes available, the attacker decrypts the archived material at leisure.
Justin Thaler of a16z crypto has drawn a critical distinction: harvest-now-decrypt-later attacks apply to encrypted data, not to digital signatures. Signatures do not hide confidential information that can later be extracted; they authorize actions. This means the retroactive threat is specifically about confidentiality, not authentication.
“Harvest now, decrypt later attacks apply to encrypted data.”
— Justin Thaler, a16z crypto
What data is at risk
Encrypted traffic archives, database backups, metadata-rich communications records, and any long-retention encrypted payload are attractive targets. The longer the shelf life of the secret, the higher the payoff for an adversary willing to wait.
Privacy-preserving blockchains that encrypt recipient addresses or transaction amounts are particularly exposed. According to the same a16z analysis, these chains can have historical data retroactively deanonymized once a CRQC exists, even if they complete a post-quantum upgrade afterward. The encrypted on-chain records are already public and permanently stored.
Why the threat matters before quantum attacks arrive
The danger is not hypothetical and future-only. Collection is happening under pre-quantum conditions. State-level actors and well-resourced organizations have both the storage capacity and the strategic patience to archive encrypted traffic at scale for years or decades.
Google has publicly set a 2029 timeline for post-quantum cryptography migration, signaling that the company considers the threat window close enough to warrant enterprise-wide action now. A separate Google Quantum AI whitepaper published on March 30, 2026 estimated that breaking secp256k1 could require fewer than 500,000 physical qubits, with key derivation completing in roughly nine minutes on a superconducting architecture.
Why post-quantum upgrades protect the future, not the past
Forward sessions versus archived records
Rotating into post-quantum algorithms, such as the standards NIST finalized in 2024 or the HQC backup key-encapsulation mechanism selected in March 2025, protects new key exchanges and new encrypted sessions. It does nothing for ciphertext generated under the old schemes.
This is a fundamental property of cryptographic migration: you can change the lock on the door going forward, but you cannot un-copy a document that was already photographed. The distinction matters most for data with long confidentiality requirements, such as health records, financial archives, national security communications, and privacy-chain transaction histories.
Non-privacy chains face a different risk profile
Most non-privacy blockchains, including Bitcoin and Ethereum, primarily use elliptic-curve signatures for transaction authorization rather than encryption for confidentiality. Their core quantum risk is future signature forgery, not retroactive decryption of old transactions.
The Google Quantum AI whitepaper modeled a specific Bitcoin on-spend attack scenario: with approximately nine minutes of key derivation time, an attacker could achieve roughly a 41% theft risk before the next 10-minute Bitcoin block confirms. This is a forward-looking attack that requires intercepting a transaction in real time, not a retrospective one. Large whale movements, like the recent 122,355 ETH transfer linked to Eric Voorhees, illustrate the scale of value that would be at stake in such scenarios.
Privacy chains, by contrast, carry both risks: future signature forgery and retroactive decryption of encrypted transaction data that is already sitting on public ledgers.
Industry response is already underway
Coinbase has disclosed that its post-quantum roadmap includes updating Bitcoin address handling and internal key-management systems. The exchange, which recently made headlines over its OCC conditional nod, has established an independent advisory board specifically for quantum computing and blockchain risks.
NIST’s standardization pipeline provides the algorithmic foundation. The agency finalized the first three post-quantum standards in 2024, with a final HQC standard expected by 2027. Google’s Android 17 is already integrating ML-DSA in alignment with NIST, tying the enterprise migration path to standardized primitives rather than experimental schemes.
What organizations and users can still do now
Prioritize by sensitivity and shelf life
Not all data carries equal retroactive risk. Organizations should inventory encrypted assets by confidentiality shelf life: data that must remain secret for 10 or more years is already inside the threat window. Financial records, health data, trade secrets, and privacy-chain transaction histories rank highest.
Bitcoin at $66,978 and a $1.34 trillion market cap represents an enormous pool of value secured by elliptic-curve cryptography. While Bitcoin’s transparency means most transaction data is already public, any systems layering encryption on top of Bitcoin infrastructure, such as custodial platforms or institutional wallet management tools, should audit their cryptographic dependencies now.
Reduce retention and reclassify exposed archives
Where possible, shortening data retention windows limits the volume of material available for future decryption. Archives that were encrypted under now-vulnerable schemes should be reclassified as potentially exposed rather than treated as secure.
This is not a theoretical exercise. According to an unconfirmed report carried by Bitcoin.com, Fhenix CEO Guy Zyskind has argued that lattice-based post-quantum cryptography plus encrypted mempools represent the essential technical fix, while also acknowledging that past privacy cannot be recovered after migration. No primary source for these specific remarks has been independently verified.
Set honest expectations
The most important organizational message is also the hardest: migration to post-quantum standards is necessary and urgent, but it is not a retroactive cure. It limits future exposure and reduces residual impact. It does not reverse collection that has already occurred.
The Fear and Greed Index sitting at 11, deep in Extreme Fear territory, reflects broader market anxiety that extends beyond quantum risk. But the retroactive decryption trap is a structural problem that persists regardless of market sentiment, and organizations that delay migration are widening the window of vulnerable data every day.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.